Application deployment and Security

Question 1

Name the 4 tier structure for app deployment

Answer 1

Development
Testing
Staging
Production

Question 2

Development models (types of servers)? (4)

Answer 2

Bare Metal
Virtual Machine
Container Based
Serverless

Question 3

Difference between type 1 and type 2 hypervisor

Answer 3

Type 1 - Bare metal

Type 2 - runs as an application on a OS

Question 4

Types of infrastructure? (5)

Answer 4

On-premise
Private Cloud
Public Cloud
Hybrid Cloud
Edge Cloud

Question 5

What is docker?

Answer 5

Container based solution to contain an application, without worrying about underlying OS libraries etc.

Question 6

Dockerfile - to pull from and existing image (first line of docker file)?

Answer 6

FROM

Question 7

Dockerfile - set the working directory

Answer 7

WORKDIR

Question 8

Dockerfile - copy files

Answer 8

COPY

Question 9

Dockerfile - execute commands when docker starts

Answer 9

CMD

Question 10

Dockerfile - execute commands as part of the build

Answer 10

RUN

Question 11

Command to build docker image

Answer 11

docker build -t .

Question 12

Start a docker image

Answer 12

docker run image_name

Question 13

docker run -P vs -p

Answer 13

• p 8080:80 will translate local port 8080 to docker port 80

- P will use the dockerfile EXPOSE ports to local random ports

Question 14

docker run but detach option

Answer 14

docker run -d image_name

Question 15

docker - enter an running container

Answer 15

docker exec -it container_name /bin/sh

Question 16

download a docker image

Answer 16

docker pull NAME:TAG

Question 17

upload a docker image

Answer 17

docker push NAME:TAG

Question 18

list running docker images

Answer 18

docker ps

docker container ls

Question 19

In CI/CD explain what CI is

Answer 19

Its the process of continually merging small changes to the code so that any given change set is small with less impact than a big change

Question 20

In CI/CD whats the difference between Continuous Delivery vs Continuous Deployment

Answer 20

Delivery - ensures shorts sprints are always done to ensure code is deployable
Deployment - code is constantly deployed provided its tagged ready for production (tests are done in Delivery)

Question 21

Name methods to avoid impact to users when deploying new code or changes to code (3)

Answer 21

Rolling upgrade:
Canary Pipeline:
Blue/Green deployment

Question 22

CI/CD Benefits (6)

Answer 22

Integration with agile methods
Shorter MTTR
Automated deployment
Less disruptive
Improved quality
Improved time to market

Question 23

Load balance methods (6)

Answer 23

Persistent
Round Robin
Least Connections
IP Hash
Blue-Green
Canary

Question 24

Three common web attacks

Answer 24

SQL injection
Cross-Site Scripting (XSS)
CSRF

Question 25

Whats the difference between data at rest and data in flight

Answer 25

Data at rest - when data is being stored

Data in flight or in motion - when data is being transferred

Question 26

Things to consider when storing data (5)

Answer 26

Encrypting data: One way/Two way encryption
Software vulnerabilities: be mindfull when using existing libraries
Storing too much data: store what you need
Storing data in the cloud: data is stored on someone else hardware
Roaming devices: laptops, phones etc

Question 27

Explain one way vs two way encryption

Answer 27

One-way encryption: doesn’t need a key and doesn’t need to be decrypted once encrypted
Two-way encryption: Uses a key to encrypt and store then decrypt when you need it again

Question 28

Best practice for transporting data

Answer 28

SSH
TLS
VPN

Question 29

OWASP

Answer 29

Open Web Application Security Project

Defines tools and documentation to avoid common web security issues

Question 30

Top 10 OWASP list

Answer 30

• Injection
• Broken authentication
• Sensitive Data Exposure
• XML External Entities (XXE)
• Broken Access control
• Security Misconfiguration
• Cross-Site Scripting (XSS) -
• Insecure Deserialization
• Using components with known vulnerabilities -
• Insufficient logging and monitoring

Question 31

What is a salted password

Answer 31

Using random data to hash the password, ie the same password will have different hash.

Question 32

Password cracking methods

Answer 32

Password guessing
Dictionary attack
Rainbow table - using pre-compiled list of password hashes
Social engineering

Question 33

Types of attacks to gain information

Answer 33

• Phishing - fraudulently gaining information through links etc.
• Vishing (Voice Phishing) - voice calls to gain info
• Smishing - Phishing via sms
• Impersonation - impersonating someone of authority or service provider

Question 34

6 principles of human influence

Answer 34

○ Reciprocity - return a favour when asked
○ Commitment and consistency - when people commit they tend to honour it… ie sign up later checkbox.
○ Social Proof - follow the sheep mentality
○ Authority - People obey authority figures
○ Liking - like-able people can persuade people easily
○ Scarcity - when items or offers or limited, offers are taken up quickly

Question 35

What is ISC

Answer 35

Information Security Culture

The behavior of employees that has an impact on organizations data

Question 36

DevOps Principals (7)

Answer 36

Iterative - break process into smaller bits
Incremental - Projects need to be developed in small and rapid incremental cycles
Continuous - merge development and deployment into simpler process
Automated - everything can be automated
Self-service - What DevOps principle Every IT engineer should have the same development environment to develop and test projects
Collaborative - teams need to work together
Holistic - Treats process as a whole service

Question 37

Types of SQL injection

Answer 37

In-band SQL injection
Inferential or blind SQL injection
Out-of-band SQL injection